Aadhaar bill moved with privacy clause and Rajya Sabha shield

The Narendra Modi government today moved a piece of legislation designed to realise the full potential of the Aadhaar card that will underpin its grand programme to transfer subsidies and other benefits directly into beneficiary accounts.

By Our Bureau
  • Published 4.03.16
Arun Jaitley

New Delhi, March 3: The Narendra Modi government today moved a piece of legislation designed to realise the full potential of the Aadhaar card that will underpin its grand programme to transfer subsidies and other benefits directly into beneficiary accounts.

But the bill sparked a caterwaul of protests from political rivals and data privacy hawks who contend that it does not have adequate provisions to prevent, deter or penalise theft of the biometric data that is at the heart of the Aadhaar card.

Finance minister Arun Jaitley introduced the Aadhaar (Target Delivery of Financial and other Subsidies, Benefits and Services) Bill 2016 as a money bill - and immediately drew flak from the Congress.

A money bill needs to be passed only in the Lok Sabha. Critics saw this as a move to bypass the Rajya Sabha where the government does not have the numbers to ensure smooth passage - which could potentially imperil the government's efforts to project itself as the Nanny State that seeks to soothe the pangs of the poor and underprivileged.

Jaitley argued that the bill had been correctly characterised as a money bill since it involved the transfer of monies from the Consolidated Fund of India, which is the repository of all revenues that the government receives as well as receipts from loan recoveries. No amount can be drawn from this fund without authorisation from Parliament.

Congress leader Mallikarjun Kharge said a similar bill had been introduced by the UPA government. But the NDA government had now turned it into a money bill to "avoid" the Rajya Sabha.

"This bill is significantly different from the earlier bill. It confines itself to government expenditure," Jaitley contended.

The UPA government had introduced the National Identification Authority of India (NIDAI) Bill, 2010 in the Rajya Sabha to provide statutory backing to the Unique Identification Authority of India (UIDAI). The government today withdrew that bill in the upper House.

The finance minister said the Aadhaar Bill was a textbook definition of a money bill and reminded the Congress that it had used the same ruse to pass legislation relating to juvenile justice and compensation for workmen's injury when it was in power.

But the bigger beef was over data privacy - an issue that resonates with netizens who have become increasingly concerned over compromised digital identities and information.

 Nandan Nilekani

"This is a great step forward," said Supreme Court advocate Pawan Duggal who specialises in cyber laws. "But there are many conflicts with the Information Technology Act, which will create potential challenges. The bill also does not mention reasonable practices or procedures to protect privacy of information. It is silent on data privacy."

Jaitley said the bill had a proviso that said only officers of joint secretary-level and above could order sharing of biometric information.

Telecom department officials said the bill provided a framework to ensure that biometric details of citizens that were collected would be discreetly held in a national repository. Users accessing this database - like banks for instance - would only be able to generate Aadhaar numbers or authenticate identities.

In cases of national security, an officer not below the rank of a joint secretary would be empowered to call for disclosure of information. An oversight committee, comprising the cabinet secretary and secretaries in the departments of legal affairs, and electronics and information technology, would review each decision before the information was disclosed.

But the assurance failed to quell privacy concerns.

Duggal said there was no explanation of how the UIDAI - the entity that will enrol members and manage the information they share with it - would protect the privacy of individual information.

"The main issue is to stabilise the Aadhaar network and protect it from instances of cyber terror and theft. While there is some mention of unauthorised access in this bill, it is not comprehensive. Far more thought needs to be given to protection of not just biometric information but also other sensitive personal data that is generated like photographs, mobile number and addresses when Aadhaar is generated," the lawyer said.


The bill proposes imprisonment of up to three years and fine of Rs 10,000, which will be Rs 1 lakh in the case of a company, for disclosing or sharing the core biometric information. Many analysts considered the fines to be too low to act as a deterrent.

The bill enjoins UIDAI to take all necessary steps to ensure the confidentiality of identity information by protecting it against access of disclosure or accidental and intentional damage.

Information will be stored in a centralised database of biometrics, the Central Identities Data Repository. The UIDAI will not only take all appropriate technical measures but also ensure that any agency it hires will follow these security measures.

Information other than core biometrics may be shared under certain rules that are yet to be framed. Identity information cannot be disclosed except with the prior consent of the individual. Biometric information will be considered an "electronic record" and "sensitive personal data or information".

"Section 30 of the Adhaar Bill protects only the biometric information, while other personal information including photographs, names, addresses, demographic information is not as well protected, giving rise to apprehensions," Duggal said.

"Since Aadhaar is expected to be the basis for India's future progress, it should not be done in a hurry. All aspects of data protection needs to be thoroughly addressed specially since India still does not have a dedicated law on digital privacy, data protection or encryption. No threshold has been set for non-biometric information that can be disclosed and what will be protected," he added.

Basis for payouts

One major area of concern is that the bill makes "proof of Aadhaar number and Aadhaar authentication as a condition for receipt of benefit, subsidy, etc. funded from Consolidated Fund of India" - a requirement that did not exist in the UPA's legislation.

However, it is provided that if an Aadhaar number is not assigned to an individual, the individual shall be offered alternate and viable means of identification for delivery of the subsidy, benefit or service.

Nandan Nilekani, regarded as the father of the Aadhaar card idea, had said soon after the card was made mandatory for direct benefit transfers in this year's budget that "this has become central to the government's transformation agenda and will help clear ambiguity in the courts".

But this feature of the proposed legislation appears to run counter to two rulings of the Supreme Court. "The production of an Aadhaar card will not be a condition for obtaining any benefits otherwise due to a citizen," the apex court had had said in an interim order last August when it exempted its use for public distribution system (PDS) and LPG distribution.

The court iterated its stance in October last year when the Union government sought concession for voluntary use of Aadhaar in other government programmes pending a final verdict on the issue.

"We will also make it clear than the Aadhaar card scheme is purely voluntary and it cannot be made mandatory till the matter is finally decided by this court one way or the other," the Supreme Court had ordered while allowing the government to allow use of Aadhaar in schemes like MGNREGA, the Prime Minister's Jan Dhan Yojana and National Social Assistance Programme.

The government and financial regulators - the RBI, Sebi and the IRDA - were in a tight spot on Aadhaar after the Supreme Court restricted the use of the unique identification number until a constitution bench decided on it. Many of these problems are expected to be resolved when Parliament passes the Aadhaar bill.

Earlier, there was no time specification for a resident. Now, a resident is an individual who has resided in India for a period or periods amounting in all to 182 days or more in 12 months preceding the date of enrolment.

Till date, over 98 crore Aadhaar numbers have been generated. The Aadhaar numbers have been seeded in 11.19 crore DBTL (direct benefit transfer of LPG) accounts out of 16.5 crore beneficiaries.